If most malware comes through internet...

Let only the O/S communicate through the internet without going through a browser.

Then have a locked down browser and make all non-essential programs (non O/S programs) have to go through that browser for any internet communications, no more phone-home allowed for any non-O/S programs.

Then have the browser screen things extremely tightly (i.e. err toward nothing even remotely suspicious getting through.) Might have high false positives, but if nothing essential goes through the browser, high false positives is not a problem for the core functioning of your O/S

For other threats:

No more auto-updates for anything, even your browser. If you need to do updates to non-O/S programs than download the update file from the authorized company, and scan it with an extremely high detection rate signature based scanner before running it.

Most users would not go for this, but if one were willing to use such a system, wouldn't that be locked down as close to 100% as you could get?

No more auto-updates for anything, even your browser. If you need to do updates to non-O/S programs than download the update file from the authorized company, and scan it with an extremely high detection rate signature based scanner before running it.

Click to expand...

A properly handled autoupdate mechanism is actually more secure than this. If they use digital signing then the autoupdater will only install what's signed with the digital key. No ability to forge signatures, etc. They would have to steal it.

And a lack of quick patching is far more dangerous anyways.

wouldn't that be locked down as close to 100% as you could get?

Click to expand...

Not really.

1) You still need exposed services like DNS.

2) You still have the entire browser exposed, with a ton of attack surface that you've added by having all programs use it for their connections.

3) MITM attacks aren't solved by the above, so common browsing is still vulnerable to being sniffed, or manipulated.

4) Firewall code is still code.

5) Physical attacks like USB.

6) Attacks on the network, like the router.

7) Most of this seems to rely on detection, which means all an attacker has to do is change.

It does nothing for *local* security, so all that's needed is RCE and then it's a matter of just hooking into various programs or exploiting the kernel/ some service.